[readyp1]

It says in the link that Mozilla was nominated "for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK".

So... for circumventing censorship, then?

[t34543]

It appears that way - I cannot fathom the mentality that actively supports censorship. The internet was beautiful, information open and available for all. That idea became so powerful it’s now a threat. Sigh.

[CodeMage]

> The internet was beautiful, information open and available for all.

"Was" is the correct word to use. Here's a fun example: try explaining to someone non-technical why you can't simply download your e-mails. I went through that exercise this morning, when my wife asked me to download a bunch of e-mails and send them to her in a "folder", which she can then send to someone else.

So then I had to explain that GMail allows me to download a single message -- no bulk downloads, of course -- but it saves it in .eml format, which you can't open with programs that come installed on a typical Windows box. And even if you could, there's no guarantee that the guy you're sending them to can.

Of course, she thought that was stupid: why offer saving e-mails in an "obscure" format? So I had to explain why the Internet is now a bunch of walled gardens and closed services, all built on top of open and standardized protocols and formats. And, of course, those open standards can't improve and evolve easily, because each player in the game wants to lock users and their data inside their own walled garden.

So yeah, the takeaway in a nutshell is that the Internet was once open, but then it became lucrative.

EDIT: I think a lot of people replying here might be missing the point. Like I stated above, I was trying to explain the situation to a non-technical person. Yes, I'm aware of POP and IMAP support. Yes, I know RFC5322 is not an obscure format. But I'm talking about people who don't know or care what these things are. Try downloading a bunch of messages in RFC5322 format, zipping them and sending them to your average lawyer and see how they react.

[icebraining]

Besides POP and IMAP, already mentioned, the page for bulk downloading your data from Google is https://takeout.google.com/, which includes Gmail, of course.

She probably still can't open the file in a typical Windows box, since it doesn't come with a decent email application, but MBOX is as standard as it comes.

[astrodust]

RFC5322 is not an obscure format. It's been around since forever, and every email client under the sun uses it.

What is an obscure format is whatever Microsoft Outlook uses to store emails: https://en.wikipedia.org/wiki/Personal_Storage_Table

[rusk]

You could have used IMAP

[pessimizer]

gmail actually still supports POP if you can believe it. I hesitate to even mention it in public for fear that they'll notice and shut it off or put it behind the firewall.

[vageli]

> gmail actually still supports POP if you can believe it. I hesitate to even mention it in public for fear that they'll notice and shut it off or put it behind the firewall.

I can confirm that Google thinks the fact that they can't rate limiter IMAP with the same efficacy as their own APIs is a "bug".

[dvfjsdhgfv]

Why can't they? I see no technical reason that would prevent them for doing it.

[gothroach]

As someone who's never used Gmail, I find it rather amusing how many people seem to think it IS email.

In addition, if you're trying to download email via a web browser you're going about it the wrong way.

[pabs3]

Does adding the emails as plain attachments instead of zipped up lead to being able to view them typical non-geek email clients? It does in the geek email clients I'm aware of.

[the8472]

Does gmail not support pop3? Also, gmail != all email

[root_axis]

The internet is still beautiful for me. I don't use gmail.

[mapcars]

Side note: you can print email into pdf file

[Solvitieg]

Which is ironic because they also nominated Article 13 for "threatening freedom of expression"

[rayiner]

Presumably it takes just a small number of people to submit a nomination, so you’re seeing different nominees from different factions.

[ehsankia]

Aren't Google and many others looking at it too? Also DNS-over-TLS is also being looked at by Cloudflare, Quad9 and more. I don't see why Mozilla is being called out here.

[15characterslon]

Most major public (non-ISP) DNS resolvers support DNS-over-TLS today. (This includes Google, Cloudflare and Quad9.) The problem for the ISP is that switching to those resolvers would mean users would no longer use their DNS resolvers. I guess they're selling the data and that's why they're so mad about it. Mozilla is AFAIK the first one to include support for it in a browser. Chrome doesn't support it yet but will do so soon.

[nullwasamistake]

Hah! This is the most insane justification I've seen in a while. Even better than when all the tech giants smash competition because "security".

Cloudflare (which has somewhat shady ties to us govt maybe) is pushing hard for DNS over secure channel and it's pissing off ISP's. Because they won't be able to sell personalized browsing history if is catches on....

Control/view of DNS requests is worth A LOT of money to advertisers/ISP's because it's currently immune to ad blockers and ties a user directly to their IP and real info. It's even better than browsing history because it includes everything a user does outside the browser as well, protocol agnostic, cross device.

It's the perfect example of "metadata" that various companies and agencies collect for all sorts of shitty reasons. It's the last cleartext frontier of activity monitoring.

[yholio]

But if Cloudflare is the point of aggregation and the ISP can no longer distinguish between what, according to UK law, is legal and illegal traffic, then... surely the legal onus of performing the filtering will fall on Cloudflare?

When they are providing internet content to UK customers, they must respect UK law. It's a dangerous chicken game to think UK will not be able to enforce it's laws against Cloudflare.

The villain here is the UK govt. ISPs should applaud the technical developments with all their hearts since they are legally off the hook.

[munk-a]

I would be okay with showing all of the UK a "Sorry it doesn't appear your government supports modern common sense. Please consider upgrading your government for full site functionality."

[HeWhoLurksLate]

Man, I would hate to block off support for a bunch of the things that people need for their daily work, but if it makes things obvious to everyone who's at fault, then it might just work, and I'd be willing to take a hit for that to happen.

[Analemma_]

This doesn’t make any sense. Your ISP still knows your browsing history even if they can’t see your DNS requests.

[nullwasamistake]

No they don't. TLS has encrypted sites for a long time. And with encrypted SNI they get no info about browsing history. This is a blatant attempt to stymie the last cleartext protocol that can be used to record browsing history.

[nathanaldensr]

Not if your traffic is HTTPS+TLS. They will only know--if they are the target DNS server--what IP you are connecting to. The secure channel protects against them knowing more than that.

[ianlevesque]

SNI leaks the domain name you are requesting. It's pretty shocking.

[snek]

Firefox also supports ESNI! These crazy villians shakes fist at Mozilla

[cesarb]

There is already work on encrypted SNI. Last time I looked, it uses information from DNS, so encrypted DNS is a prerequisite.

[perfmode]

how? wouldn’t they just see TCP packets?

[derefr]

They see the destinations of those packets, so they know what sites (IP addresses) you're interacting with, on what ports.

They don't get the domain names, but for the very popular web properties that all these analytics care about calculating your relationship to, they don't need them; the IP is enough to discern which site you're visiting.

[GauntletWizard]

Yes, and the IP addresses there are public, and reverse DNS entries are easy to find. There's some ambiguity, but not much. Your isp doesn't care about the difference between fbcdn.net and Facebook.com when selling your traffic history.

[donmcronald]

It’s a double edged sword. DoH will enable unblock-able ads.

[kibwen]

It would only be a difficulty for intercepting devices like PiHoles (and I don't think it's an insurmountable difficulty either, if you control both the Pi and the computer). It wouldn't affect browser-based adblockers, which is how the majority of adblocking is already done, because browsers already have access to the unencrypted request.

[15characterslon]

That would be my point too. DNS-based content blocking is very ineffective and can be outsmarted very easily.

DNS filters might be very easy to set up but if they become more major they can be outsmarted very easily - what if Google starts serving ads from www.google.com, would you block that domain name too? Browser extensions can block content far more precisely.

And smart TVs and such stuff could easily switch resolvers and just not use your Pihole's DNS resolver - that would work even without DoH as long as you don't intercept traffic on your router. E.g. Fire TV already adds Google DNS as an additional DNS server (you can't change that). Chromecast only uses Google DNS (AFAIK you can't change that either). I guess the only viable option here is just not to buy those products.

[tty2300]

Or just intercept and redirect requests to googles DNS.

[dredmorbius]

DNSMasq, the resolver used by many adblock tools, supports DNS-over-HTTPS.

[throw0101a]

This assumes the web browser talks to your DNSmasq server. Currently Mozilla is making a straight run to Cloudflare.

[dredmorbius]

If your (on-LAN or otherwise under-your-control) DNS server talks DNS-over-HTTPS, Mozilla can just talk directly to it. That's the point. The browser-specific option can be used where that's not viable or reliable (mobile devices, third-party networks).

And devices are handed DNS servers (with the option to opt out) via DHCP when they connect to the LAN.

[throw0101a]

Okay, and if malware uses DoH to figure out how to connect to its C&C server, how do I stop that DoH request (given it looks like any other HTTPS request)?

If Cloudflare starts serving DNS traffic from HTTPS on its CDN, the malware can use Cloudflare for DNS. Am I supposed to block all of Cloudflare's IPs because they can be used to circumvent DNS query monitoring?

[dredmorbius]

That's a separate threat model. DoH addresses surveillance, censorship, and injection by ISPs.

One DNSmasq already addresses in part through various asblock and malware-blocking DNS blacklists. I'm using one such that updates hourly or better. Requests to or for specific domains my be blocked (and are).

Keep in mind that by using DNSmasq at a centralised LAN server, you now have a single point of control to defend against such threats, rather than relying on multiple device- and application-specific points of control. Though software (such as browsers) offerring its own defences against such threats is in no way hindered.

You can further, and more appropriately IMO, defend against such threats at the firewall level, by blocking network space (rather than domains) and ports associated with malware. At the OS level, firewalls such as Little Snitch monitor and block traffic at the application / process and user level, and may detect, alert on, and/or block such malware.

[ubercow13]

Does this really matter? I am sure there are other ways malware could work around DNS blocking if it was motivated to

[realshowbiz]

How?

[Avamander]

Internet of Shit devices, Smart TVs and etc. would be unaffected by DNS-level adblocking. But to be fair, one shouldn't support such awful business practices by buying such devices anyways.

[jimmaswell]

What's so awful about a device having ads in it?

[kadoban]

Everything? Horrible user experience, privacy concerns, malware aplenty, and if it's a device I'm buying it's pretty sketchy behavior throwing ads in it, since I'm not going to know that before buying it or be able to do anything about it.

[cameronbrown]

Paid devices vs. free internet service? One of these should definitely _not_ have advertising.

[nameismypw]

The ads

[qzervaas]

There was a recent count of some smart TV brand showing an advert on the on-screen volume slider.

How do you like them ads?

Update: https://www.flatpanelshd.com/news.php?id=1416894724&subactio...

[squiggleblaz]

Do your child, since I cannot reply to them:

You have no evidence that the devices would be more expensive. Your only evidence is that the companies would receive less income all else being equal. But what is the evidence that the trade off is your eyeballs instead of your dollars? And if the tv is perfect except for the ads, where do you get the more expensive, ad free version?

[jimmaswell]

The devices would be more expensive otherwise. I don't really mind, especially in a case like this where you can just turn it off.

[NegativeLatency]

If you’re not paying for the device, you’re the product.

[jimmaswell]

Which is good because this isn't a zero-sum game and I lose nothing by companies getting value out of me this way.

[Skunkleton]

Dns blacklisting of ad domains is a common technique.

[deathanatos]

And how does DoH prevent that?

I would presume that, like with DNS over DNS¹, a resolver could check /etc/hosts first prior to attempting to resolve over the network; do proposed DoH resolvers not do that?

Worse comes to worse, you could always run your own local resolver.

¹or whatever we're calling the original protocol now

[Skunkleton]

DoH bypasses the normal resolver, and gives control over resolution to the browser. Not a big deal if your browser is from Mozilla. A little more concerning if your browser is from google.

[derefr]

That's how it's done now, because browsers want to push the tech when nobody else has yet bothered; but it would make a lot more sense in the long term for DNS to stay an OS-level concern, so I would expect DoH to be implemented by the OS DNS resolvers.

[shawnz]

DoH is just a protocol. Your appliance/application could choose to bypass the network specified resolver whether or not it uses DoH.

[staticassertion]

That hardly makes ads "unblockable".

[squiggleblaz]

At the moment you can make a tv that resolves dns using 8.8.8.8 and looks at fancy.ads to display an add in the tv guide/web browser/youtube app/whatever. But I can make my router direct any dns request back to itself and filter fancy.ads so that it never resolves to anything useful.

DNS over HTTPS means that you can make a tv that resolves dns using https://8.8.8.8 and looks at fancy.ads. But I can't mitm it because I don't have a suitable trusted certificate to respond to that request. So either the request to fancy.ads gets dropped and the request to online.movies.example.com gets dropped so I can't use my smart tv for its intended purpose. Or both get through.

Obviously things are different if the service uses standard OS level configuration so I can tell it to resolve dns using https://my.adblocked.dns or /etc/hosts. But nothing obliges any particular system to do that.

If my logic is faulty, please, do inform.

[shawnz]

If the TV manufacturer wanted to implement this mechanism, they wouldn't need DoH to do it. They could just put the ads right on online.movies.example.com and use TLS there. Any kind of ad-blocking mechanism based on DNS is trivially bypassable.

Suggesting that we should weaken encryption/privacy because some people plan to use it in ways that we don't like is just not a viable option. It's exactly the argument that governments are trying to use to mandate backdoors in our chat services. With encryption, it's all or nothing.

[uponcoffee]

The solution is to do as most goverments do [0]: sniff the SNI header during TLS handshakes and drop the connection if the domain matches your blocklist(s)//regex filters.

[0] https://signal.org/blog/looking-back-on-the-front/

[NegativeLatency]

If you could get your own cert onto said device you could MITM yourself and preserve adblocking.

[squiggleblaz]

I can't reply to my children, so I'm replying to myself instead.

Uponcoffee suggests inspecting the SNI header to drop the TLS handshake. So the DNS resolves fine, but when they try to connect to https://fancy.ads, that request is tampered with and fails. As far as I know, that depends on a bug in TLS which will be fixed in some future version, so that inspecting such a request becomes impossible.

NegativeLatency suggests installing an alternative certificate. This would presumably work if I have root access to my smart device. Maybe I can get access to root on my smart tv, I'm not sure, I don't use smart tvs.

But random people can't get access to root on their phone. It will break their banking apps. I can install an adblocker on my phone and accept the consequences of my actions. I'm not sure what the tradeoff between adblocking and banking apps is, even for me. I would probably want to write my own browser based app to let me log into my bank from an separated web browser - if I'm trying to log into my bank when I'm standing in the queue I don't want to piss fart around with stupid browser tabs.

I certainly can't tell my coworker "yeah I'll just install this ad blocker on your phone, it'll block some analytics too so your privacy will be a little more respected" if the only way to do it is to break their banking apps.

I mean, okay, the ads aren't unblockable. But we are at the point where I have to make a trade off between letting you run whatever code you want on my phone, and letting you not run any code at all on my phone. Capitalism depends on negotiation to work. If it's just "I'm a big company, use my service or don't", capitalism stops working.

[Skunkleton]

Do you wear a seatbelt? Its the same thing.

[sdfin]

Is there any disadvantage about activating it? Is the default (https://mozilla.cloudflare-dns.com/dns-query) adequate?

[snek]

Make sure you have a resolver mode (trr.mode) that matches your comfort!

0 = use whatever the default is (one of the below)

1 = race DoH and regular dns and use whichever replies first

2 = try DoH and then fall back to regular dns

3 = only DoH

4 = unused

5 = explicitly off

The default resolver is identical to 1.1.1.1 except it collects less data: https://developers.cloudflare.com/1.1.1.1/commitment-to-priv...

[throw0101a]

> Is there any disadvantage about activating it?

How do you do split-horizon DNS if the browser goes out to some random IP for DNS instead of using the OS-supplised resolver (resolv.conf)?

If malware starts using it to contact C&C servers, how do I find the domain that's being talked to? If malware has to talk to internal DNS servers, I can examine the query log. If the malware uses Cloudflares CDN IPs for DNS, am I supposed to block all of Cloudflare?

[pritambaral]

If it's malware behaviour you're worried about, DoH is not special in any way. Malwares using tunnels (and more) to ensure connectivity to their C&C servers are commonplace.

[throw0101a]

And how does the malware determine which IP to connect to? Often, though of course not always, they use DNS:

* https://en.wikipedia.org/wiki/Fast_flux

[pritambaral]

Of course DNS is used often; it's the most convenient. But the point isn't "sometimes DNS is used"; I never claimed "DNS is never used".

The point is "DNS is not the only way and malware authors have known and used this fact". The counter-convenience you seem to be looking for — to quote your prior statement, with added emphasis: "If malware has to talk to internal DNS servers ..." — was never there in the first place. No matter how hard you try, there is no way you can force all malware ever to always talk to your internal DNS servers.

[the8472]

It would contribute to the centralization of the internet, by making cloudflare more important.

[dcow]

Requests take orders of magnitude more data because you have to negotiate TLS each time. Not the end of the world obviously but you will generate more traffic and observe slightly reduced performance.

[icebraining]

> you have to negotiate TLS each time

It's not so bad, because HTTPS supports keep-alive, so you can make a bunch of queries with a single TLS handshake.

[tialaramex]

You get to do session resumption or even re-use an existing session if it hasn't closed yet.

For a random third party that might still be slow but Mozilla and Cloudflare have every reason to do every trick that's safe to speed this up, including 0RTT TLS because replaying DNS queries isn't a problem.

[throw0101a]

> So... for circumventing censorship, then?

I don't know about ISPs, but as someone in IT, DoH could be a mess. If Firefox ignores resolve.conf how is split-horizon going to work? Wait until malware starts using it and it can't be blocked with blacklisting, e.g., entire CDN IP ranges.

Paul Vixie has strong views on DoH:

* https://twitter.com/paulvixie

I'd be okay if they at least used DNS-over-TLS (DoT): privacy and it can at least be handled by firewalls for us corporate types.

[tialaramex]

People should cut it out with the split horizon DNS. Like NAT this was always a nasty hack, of course things will break if you do it.

If you need malware to be nice and use your configured security systems or else it'll cause problems I have bad news for you: the malware authors aren't on your side.

Everything DoH, eSNI, TLS 1.3 and QUIC and a dozen other protocols are doing was already trivial for malware to do if it wanted. If your defences begin by assuming bad guys are only doing things that obey all your rules you've fundamentally misunderstood what "bad guys" even are.

[throw0101a]

> People should cut it out with the split horizon DNS.

We have a bunch of internal-only 10.x hosts and services. Why would we put them in our external DNS?

> If you need malware to be nice and use your configured security systems or else it'll cause problems I have bad news for you: the malware authors aren't on your side.

I don't. But if I see DNS traffic flowing from systems that are not our internal DNS servers, I know to look at them.

It's the same reason SMTP traffic was bottlenecked: everything goes through relays so it can be monitored.

> If your defences begin by assuming bad guys are only doing things that obey all your rules you've fundamentally misunderstood what "bad guys" even are.

Defences begin with observation. With DoH you can't tell what's going on with regards to queries. I'd much rather have DoT: still gives privacy, but since it has its own port, then it can be dealt with more easily. Of course having an IANA-assigned port allows for ISP/government filtering.

[realshowbiz]

And ease of surveillance

[dcow]

I love Mozilla. I respect DoT/DoH. I support the adoption of private DNS for mature, independent, internet users. I personally value freedom of access to information over censorship. All these things should be protected by governments and the software we build.

I do not, however, dismiss the UK’s argument that society needs a practical way to for parents to monitor and potentially filter what type of content their children are encountering online. I do not believe a child deserves the same privacy as a grown adult. It’s not even really arguable: it’s a parent’s responsibility to parent their children. The only practical way for a parent to do so if everything uses global/e2e DNS privacy is to give children “managed” devices with non-administrator accounts, or physically hovering over their shoulder all the time (yes children can earn more privacy as they build more trust and mature, but that’s for a parent to decide). It’s much easier and more effective to manage this at a network level.

Furthermore, a consenting adult, without needing justification but common ones include: security, & ad-block, may choose to sacrifice a small amount of privacy (either because they don’t care or because they trust someone with the information) to enter into a relationship where they delegate filtering and monitoring to a third party. If someone wants to build a DNS resolver that doesn't resolve queries to companies run by assholes, then so be it.

Browser mandated DNS privacy prevents all of this (unless you have administrative access to install and configure DNS resolvers on all the devices you own—but you don’t: thanks Apple and the cloud-based internet of shit). And even then if vendors pin keys or certs then have fun. Mozilla certainly isn’t the devil and doesn’t deserve this assessment, but the controversy surrounding fast-tracking proliferation of vendor-controlled DNS “privacy” is warranted.

There’s a final point that often gets overlooked. If Mozilla or Google start shipping browsers that use their own DNS privacy resolvers, it’s a power play (whether intentional or not). They now control DNS, not you, not independent third parties. They now have more data about you. And they can start deploying nefarious things that only work in their vertically integrated web.

I don’t think it’s that much of a stretch to say blindly and hastily pushing DNS privacy without standards in place to defend interoperability of software and internet systems and prevent even deeper vertical integration is bad for the internet.

I am happy we have started exploring ways to extend privacy to the DNS. But I should be able to manage my network in my own home in whatever way I see fit. I do not wish to concede control of such a fundamental system so hastily to browser vendors, of all people.

[robtherobber]

I'm not sure I understood your argument, very likely due to my limited knowledge in this area.

You say:

> society needs a practical way to for parents to monitor and potentially filter what type of content their children are encountering online.

I agree with you on this point. But how does Mozilla's initiative prevent parents from filtering what type of content their children are allowed to be exposed to online or asserting control over this activity?

I would first argue that this is more than anything a responsibility of the parent - unsupervised internet browsing by children should not really be happening and no technology can save people (children included) from themselves/mistakes/curiosity/etc. as efficient as education can. If the children are too young they won't care that their browsing is filtered, if they are old enough to be knowledgeable about this kind of stuff they will likely find a way to circumvent filtering.

Second, surely, Mozilla can make the DoH functionality optional and, together with other local access & filtering measures, you can probably put in place a system that works for this case. You're again correct that it’s easier to manage this at a network level, but private DNS doesn't automatically impede us to do so, albeit it forces our hands to do so differently if the user can't decide for himself when to use it.

Third, if enough demand will appear for such a feature (i.e. to allow parents to filter browsing for children), I am confident that paid or even free solutions will emerge to address it. The way I see it, users should not concede control to browser vendors, especially if they are Google, but also if they are governments. I argue that we should trust our (democratic)governments with many things, but not with the guarantee that they will always work in the public interest. We need mechanisms to ensure they're always kept in check _before_ things go south.

> If Mozilla or Google start shipping browsers that use their own DNS privacy resolvers, it’s a power play.

That's quite true and a reasonable point that I think needs addressing in a meaningful way. What we should have is more user control.

[dcow]

Sounds like I could have made my point more clear. We agree: user control is the fundamental necessity. My rant is mostly against pushing DoH/DoT out without building in the appropriate user controls. I am okay with Mozilla doing it from a privacy angle. I’m more concerned with someone like Google pushing out this “privacy” feature then pivoting and all of a sudden DoH is the only supported protocol. Look what happened to XMPP with google chat.

[robtherobber]

Fair point. And thanks for the clarification.

[cpeterso]

Firefox's DoH resolver is user-configurable but could presumably be locked down by enterprise or parental controls.

[DonHopkins]

It's like being on Nixon's or Trump's enemies list: a badge of honor!

They should pass out top hats and stick-on curly waxed mustaches to all Mozilla employees, to celebrate.

https://en.wikipedia.org/wiki/Villain

[pbhjpbhj]

And default logging all your lookups with a third-party, I gather.

[api]

For circumventing ISP data collection on user browsing habits.